Hi. Passwordless Recipe. Why is the magic link of the form /auth/verify?rid=passwordless&preAuthSessionId=# ? i.e. Why is the linkCode an anchor and not a query param? I cannot manage to use it this way and I don't understand why it is like this.

HI @User - it's not a query param due to security best practices. Query params tend to get saved in the browser history.

The OTP side is fine, my issue is with the magic link. Because

POST /{apiBasePath}/signinup/code/consume

requires

preAuthSessionId

(which I have) but also

linkCode

, which I cannot extract from the url as it is an anchor.

You can extract it using location.hash.substr(1)

ok. I wanted to do this in SvelteKit's load function, which is SSR, so I cannot access window nor document. I'll just get it from window.location.hash... after the page is mounted

I see.

apparently it's not possible: https://github.com/sveltejs/kit/issues/1676

I see.. well.. There is one hack you can do -> in the function you have written to send an email (on the backend), you can modify the url to remove the code from the hash and put it as a query param. And then you can consume it in SSR

yes I was typing that a moment ago, and wanted to propose if params: CreateAndSendCustomEmailParameters could also have a link_code property

Yea..

I don't see how the link code can be used for an attack though, it's auto generated for each time right?

Yes. There are more security implications to this. Perhaps @User can shed some light.

the security implication is that the query params are automatically sent to the server and can be potentially accessed/logged by proxies along the way and the also tend to appear in server logs. This isn't a problem in this specific case, since they are single use codes and we are sending them to the server by default. Still, it's good practice to put secrets into the hash, so the client can choose to use it as opposed to it being automatically sent to the server.

ok, thanks guys

For both.

great